Cybersecurity risks (and solutions) for K-12 education

Why Cybersecurity Risks in K-12 Schools Are Rising

It’s clear that schools need stronger cybersecurity at this time. This should include countermeasures like effective access controls for the network, especially for the “privileged” administrative back end of school databases and email systems.

K-12 schools face cyberattacks? How can that be? It seems so inappropriate, so illegal. It is both of those things, but unfortunately, such attacks are increasingly common. For instance, according to the 2018 State of K-12 Cybersecurity: Year in Review, a report from the K-12 Cybersecurity Resource Center, 119 schools experienced 122 cyberattacks that year. These ranged from data breaches to phishing scams and ransomware attacks.

To understand the scale of the problem, consider that the Los Angeles Times reported as many as 500,000 students and staff at the San Diego’s Unified School District may have had their personal data stolen in 2018. The breach included social security numbers, dates of birth, phone numbers and private health information.

Why K-12 Cyber Security Needs to Be Prioritized

The only “consolation” here is that breaches of this magnitude are happening all over the place, in virtually every corporate and government setting. Hackers tend to look for weakly guarded systems. School districts have those, due to limited resources for IT and cyber security. And, to be sure, who would have even thought of this as an issue even a few years ago?

It is a serious problem now, however. Thousands of students, their families, faculty and staff are having their privacy invaded. They are at risk for fraud, identity theft and online harassment. College admissions and other sensitive educational processes such as special ed grants are at risk if private data is exposed online. Data breaches affect the districts’ reputations and diminish community trust in the institutions.

 

How and Why School Data Is Getting Breached

Many school breaches are the result of phishing attacks. In this hacking technique, a school district employee receives an email containing a malware link. Clicking on the link allows his or her machine or mobile device (i.e. a network “endpoint”) to become infected. This gives the hacker an opening to pierce the school district’s network and steal data. For context, Verizon reported in 2018 that users in the U.S open 30% of phishing all emails, with 12% of those targeted clicking on infected links or attachments.

Hackers also deploy ransomware and lock up the school’s data until the district pays the hacker’s price. Another technique involves social engineering, where a hacker impersonates a district employee or vendor in order to steal network login credentials. Hackers take advantage of the relative openness of school district networks, student laptops and mobile apps, which are set up for community inclusion and student access to educational resources – creating vulnerability to breach in the process.

As CSO Magazine reported, citing the Verizon breach study, “The number of security incidents involving mobile devices has increased over the past year, but companies are not protecting their mobile assets as well as they do other systems. One in three organizations admitted to suffering a compromise due to a mobile device.”

One the defense side, school districts usually have not prioritized strong security. They may not have the personnel or skill sets to defend digital assets. However, cleaning up data breaches is financially costly for schools. The district may also face state and federal penalties for failing to follow security precautions.

What to Do About It

It’s clear that schools need stronger cybersecurity at this time. This should include countermeasures like effective access controls for the network, especially for the “privileged” administrative back end of school databases and email systems. Each network endpoint, meaning laptops, servers and mobile devices, has to have dedicated protection software such as antivirus solutions.

For prevention, school districts are advised to implement security tests and scans for malware. Best practices suggest that school district define and enforce security policies for regular system patching and firewall administration. Indeed, many breaches result from known vulnerabilities that have not been patched. This is usually due to a lack of personnel as well as lax processes.

Money and personnel are big factors here, as one might expect. Security can be expensive, though in some cases, simple fixes like endpoint anti-virus are relatively cheap for the defense they provide. The cybersecurity industry now fields many proven endpoint security, prevention and detection solutions. Managed Security Service Providers (MSSPs), including those run by state cybersecurity agencies, offer affordable, high-level protections for districts.

More Ways for Schools to Improve Their Cyber Security

Providing security for a school district is not a static process. It is (or should be) ever-changing and dynamic. Given the turnover in students every school year, this is essential. In tandem, districts are well-advised to incorporate robust hardware and infrastructure countermeasures like security tests and virus scans. There are even some fascinating solutions coming online now that feature Artificial Intelligence (AI) to detect suspicious activity on the network. These have potential for school districts.

At the very least, it makes sense to back up school data. Data loss is a common consequence of malware, breaches and ransomware. Improved awareness can also help. It’s a good idea to train administrators, teachers and students about cyber security through professional security companies/IT employees. For example, if people are more savvy about phishing, they will be less likely to click on malware links.

How Prey Can Help

Prey offers a solution for helping schools and universities implement improved cyber security. It provides unified management of security, enabling groupings of devices by class, usage, or state with custom tags. Security managers can thus view devices’ statuses and hardware changes. They can assign them to faculty or students through a single, multi-operating system platform.

In terms of reactive security, Prey lets administrators know when devices move out of bounds of Control Zones. They see historic movements and react automatically with anti-theft alarms, alerts and locks. Throughout, the solution conducts forensic evidence gathering. Prey is focused on data privacy. Data wipe and retrieval reactions add a layer of protection that’s compliant with The Family Educational Rights and Privacy Act of 1974 (FERPA).

Hugh Taylor

Hugh Taylor

Hugh Taylor is a Certified Information Security Manager (CISM) who has written about cybersecurity, compliance, and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google, and Advanced Micro Devices. He has served in executive roles at Microsoft, IBM, and several venture-backed technology startups. Hugh is the author of multiple books about business, security, and technology